Updates for critical vulnerabilities in Drupal 8

Submitted by dryer on Wed, 09/21/2016 - 03:42
Malicious man

The Drupal security team has announced critical updates in the Drupal software. Related to comment visibility, cross site scripting and unauthorised export of all configurations:

For the comments editing a user without the permission to administer comments the visibility of nodes can be set. Whoever has rights to edit a node can also change the visibility of comments for that node. This issue is not critical.

Cross-site scripting using http exceptions is another vulnerability where an attacker can craft a URL that can be used to execute malicious code in the user's browser. This boils down to the lacking sanitation done by Drupal.

Exporting a full system configuration without proper access via administration interface and permissions can be used to dump a full configuration of Drupal configuration. This export allows deep insight into the architecture of a given Drupal installation and in cases of shared hosting might allow access to the database, further exposing it.

Users of Drupal 8 are advised to upgrade to the latest version immediately to avoid compromise, such as was the case in the Mossack Fonseca hacking case where an unmaintained Drupal installation allegedly compromised confidential data. Indentifying vulnerable versions of Drupal used is easily done simply by observing the CHANGELOG.txt at the root of the site, for example: https://www.drupal.org/CHANGELOG.txt